From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Mon, 19 Dec 2016 17:50:14 +0000 (-0500)
Subject: Merge pull request #756 in SNORT/snort3 from flush_fix2 to master
X-Git-Tag: 3.0.0-233~134
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2119cb62bfc69bb6db7d92ce208712c230364cb5;p=thirdparty%2Fsnort3.git

Merge pull request #756 in SNORT/snort3 from flush_fix2 to master

Squashed commit of the following:

commit 73fb00538580fac0a17963837190863bb3f8b603
Author: Russ Combs <rucombs@cisco.com>
Date:   Mon Dec 19 11:12:09 2016 -0500

    fix splitter checks to make analyzer happy

commit e50e7b418f3ac7f4a9dc79fcf79fd9be2d3c7d2e
Author: Russ Combs <rucombs@cisco.com>
Date:   Mon Dec 19 07:29:27 2016 -0500

    fallback from paf to atom splitter if flushing past gap
---

diff --git a/src/stream/tcp/tcp_reassembler.cc b/src/stream/tcp/tcp_reassembler.cc
index 5029f51c6..4bd0acb16 100644
--- a/src/stream/tcp/tcp_reassembler.cc
+++ b/src/stream/tcp/tcp_reassembler.cc
@@ -630,6 +630,9 @@ int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags)
         s5_pkt->dsize = 0;
         s5_pkt->data = nullptr;
 
+        if ( tracker->splitter->is_paf() and tracker->get_tf_flags() & TF_MISSING_PREV_PKT )
+            fallback();
+
         int32_t flushed_bytes = flush_data_segments(p, footprint);
 
         if ( flushed_bytes == 0 )
@@ -664,6 +667,7 @@ int TcpReassembler::_flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags)
         DebugFormat(DEBUG_STREAM_STATE, "setting seglist_base_seq to 0x%X\n", seglist_base_seq);
 
         if ( tracker->splitter )
+            // FIXIT-L must check because above may clear session
             tracker->splitter->update();
 
         // FIXIT-L abort should be by PAF callback only since recovery may be
@@ -703,7 +707,7 @@ int TcpReassembler::flush_to_seq(uint32_t bytes, Packet* p, uint32_t pkt_flags)
     }
 
     if ( !flush_data_ready() and !(tracker->get_tf_flags() & TF_FORCE_FLUSH) and
-        (!tracker->splitter or !tracker->splitter->is_paf()) )
+        !tracker->splitter->is_paf() )
     {
         DebugMessage(DEBUG_STREAM_STATE, "only 1 packet in seglist no need to flush\n");
         return 0;
@@ -793,7 +797,7 @@ uint32_t TcpReassembler::get_q_sequenced()
 int TcpReassembler::flush_stream(Packet* p, uint32_t dir)
 {
     // this is not always redundant; stream_reassemble rule option causes trouble
-    if ( !tracker->flush_policy )
+    if ( !tracker->flush_policy or !tracker->splitter )
         return 0;
 
     uint32_t bytes;